Saturday, June 18, 2005

Data Retention Reaches the US

Disturbing news from CNET , which reports that the US government has executed an about turn and decided to push data retention:

Justice Department officials endorsed the concept at a private meeting with Internet service providers and the National Center for Missing and Exploited Children, according to interviews with multiple people who were present. The meeting took place on April 27 at the Holiday Inn Select in Alexandria, Va.

'It was raised not once but several times in the meeting, very emphatically,' said Dave McClure, president of the U.S. Internet Industry Association, which represents small to midsize companies. 'We were told, 'You're going to have to start thinking about data retention if you don't want people to think you're soft on child porn.''

McClure said that while the Justice Department representatives argued that Internet service providers should cooperate voluntarily, they also raised the 'possibility that we should create by law a standard period of data retention.' McClure added that 'my sense was that this is something that they've been working on for a long time.'

This represents an abrupt shift in the Justice Department's long-held position that data retention is unnecessary and imposes an unacceptable burden on Internet providers. In 2001, the Bush administration expressed "serious reservations about broad mandatory data retention regimes."

The current proposal appears to originate with the Justice Department's Child Exploitation and Obscenity Section, which enforces federal child pornography laws. But once mandated by law, the logs likely would be mined during terrorism, copyright infringement and even routine criminal investigations. (The Justice Department did not respond to a request for comment on Wednesday.)

It's hard to know where to begin assessing this development. But a few points strike me immediately.

First, the reference to "voluntary" retention coupled with a standard period set by law echoes the UK proposals for voluntary retention, and is likely to be rejected in the industry in exactly the same manner. The UK response made it clear that ISPs shuddered at the commercial implications of voluntary retention, seeing it as hugelyexpensive and likely to lead to customers defecting to other, more privacy friendly ISPs.

Second, the data retention period sought by the Justice Department is two months. This immediately undercuts the claims by the Council of Justice and Home Affairs ministers that a period of up to three years is essential. Perhaps our representatives would now like to explain to us how they can seek such an extravagant period when the US apparently considers it unnecessary.

Third, the US already has a federal data preservation*law, which allows "a governmental entity" to require an ISP to preserve data in their possession for up to 90 days. To justify a data retention law, it would have to be shown that the data preservation rules were ineffective. Where's that evidence?

Fourth, note the distasteful threat from the DOJ: "You're going to have to start thinking about data retention if you don't want people to think you're soft on child porn". As with other data retention proposals, the justification is essentially emotive, with references to the headline grabbing subjects of child pornography and terrorism. But, as the article correctly points out "once mandated by law, the logs likely would be mined during ... even routine criminal investigations".

Fifth, as with data retention on this side of the Atlantic, policy is being made in secret with the public excluded. If the DOJ is confident in the merits of its proposals, perhaps it might try to sell them to the public rather than trying to strongarm ISPs in private.

Finally, the attempt to obtain "voluntary" cooperation represents a continuation of a worrying trend. The US government, amongst others, has noticed that it can evade pesky constitutional restrictions such as probable cause by "outsourcing" certain activities to private actors who aren't subject to the same restrictions. These data retention proposals have the same air about them. A federal data retention law would face public scrutiny and opposition, a stiff fight through Congress, judicial review, and would likely be found unconstitutional. Hence the attraction of cooperation from ISPs, which would enable the government to achieve indirectly that which it could not do directly, and all without any public fuss. This is good for the government, perhaps, but bad for democracy and the rule of law.

________________________________

*The distinction between data retention and data preservation is explained by the Canadian Department of Justice here:

What is data preservation and how is it different from data retention?

It is important to distinguish between data preservation and data retention. As proposed in the consultation paper, a data preservation order would require a service provider to keep existing data of a specific, identified individual who is identified by the courts as the subject of an investigation and not delete it for a specified period of time. This would ensure that information vital to an investigation is not deleted before the police can obtain a search warrant or production order to access the specific data.

Data retention, on the other hand, involves the collection of data from all users of a communication service - regardless of whether or not they are subject to an investigation.